Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Sat, 17 Mar 2012 06:18:20 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Cc: john-users@...ts.openwall.com
Subject: [openwall-announce] pwgen common password lists

Hi,

The Openwall wordlists collection (paid, full) now comes with a bonus -
two lists of passwords commonly generated by pwgen 2.06 with default
settings for output to a tty and non-tty.  These contain 44 and 45.5
million entries and they crack 21% and 75% of passwords of the
corresponding kind - for tty and non-tty, respectively.  pwgen is a
fairly popular command-line password generator program for Unix systems.
It is part e.g. of Debian and Ubuntu.

The unfortunate property of pwgen that made this possible (non-uniform
distribution and small keyspace of its generated passwords) was
discussed on oss-security and Bugtraq in January:

http://www.openwall.com/lists/oss-security/2012/01/22/6

and on john-users in 2010.

Part of the problem (small keyspace, but not non-uniform distribution)
was publicly known since 2004 (if not earlier):

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=276976

(The fix was to document the problem...)

Our wordlists with the pwgen bonus may be purchased here:

http://www.openwall.com/wordlists/

Those of you who would rather not support us may obtain almost all of
the same wordlists (but not the pwgen bonus yet) from /pub/wordlists in
our file archive and its mirrors:

http://download.openwall.net
http://www.openwall.com/mirrors/

And indeed anyone (with some shell scripting skills or the like) can
generate similar pwgen lists in a couple of days, which actually makes
me more comfortable about using ours as a way to encourage people and
companies to support our project financially. ;-)

Speaking of alternatives to pwgen, our own pwqgen (from our passwdqc
package) has been tested for (lack of) a similar issue:

http://www.openwall.com/lists/passwdqc-users/2012/01/27/1
http://www.openwall.com/passwdqc/

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ